8.6. ATT&CK¶
8.6.1. Introduction¶
MITRE is a U.S. government-funded research institution that spun off from MIT in 1958 and has been involved in a number of commercial and top-secret projects. These include the development of the FAA air traffic control system and the AWACS airborne radar system. MITRE is engaged in a number of cybersecurity practices under the auspices of the National Institute of Standards and Technology (NIST).
MITRE launched the ATT&CK™ model in 2013, its full name is Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), which is a model that describes the techniques used in various stages of an attack from an attacker’s perspective. Convert known attacker behaviors into structured lists, aggregate these known behaviors into tactics and techniques, and pass several matrices as well as Structured Threat Information Expressions (STIX), Trusted Automated Exchange of Indicator Information (TAXII) To represent. Because this list is a fairly comprehensive representation of the behavior that attackers take when attacking a network, it is useful for a variety of offensive and defensive metrics, representations, and other mechanisms. Mostly used to simulate attacks, assess and improve defense capabilities, threat intelligence extraction and modeling, threat assessment and analysis.
The official description of ATT&CK is:
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
Compared with models such as Kill Chain, ATT&CK has a lower level of abstraction, but it is higher than a common exploit and vulnerability database. MITRE believes that Kill Chain is helpful to understand the attack process in high dimensions, but it cannot effectively describe the behavior of the adversary in a single vulnerability.
At present, the ATT&CK model is divided into three parts, namely PRE-ATT&CK, ATT&CK for Enterprise (including Linux, macOS, Windows) and ATT&CK for Mobile (including iOS, Android). PRE-ATT&CK covers the first two stages of the attack chain model ( Reconnaissance Tracking, Weapon Build), ATT&CK for Enterprise covers the last five stages of the attack chain (payload delivery, exploit, installation implant, command and control, target achievement), ATT&CK Matrix for Mobile mainly targets mobile platforms.
PRE-ATT&CK includes tactics such as priority definition, target selection, information gathering, discovery of vulnerabilities, offensive exploitation of development platforms, establishment and maintenance of infrastructure, development of personnel, building capabilities, testing capabilities, and segmentation capabilities.
ATT&CK for Enterprise includes tactics such as access initialization, execution, residency, privilege escalation, defense evasion, access credentials, discovery, lateral movement, collection, data acquisition, and command and control.
8.6.2. TTP¶
When MITRE defines ATT&CK, it defines some key objects: Organization (Groups), Software (Software), Technology (Techniques), Tactics (Tactics).
Where organizations use tactics and software, software implements technology, and technology implements tactics. For example, APT28 (organization) uses Mimikatz (software) to achieve the effect of obtaining login credentials (technique) and achieve the purpose of logging in with user rights (tactics). The entire attack behavior is also called TTP, which is a collection of tactics, techniques, and procedures.